<html><head></head><body><div style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:small;"><div>My command is: sudo suricata -c /etc/suricata/suricata-debian.yaml -r /home/pi/now.pcap </div><div><br></div><div id="yahoo_quoted_1821470505" class="yahoo_quoted"><div>On Tuesday, April 4, 2017, 5:27:32 PM GMT+3, Peter Manev <petermanev@gmail.com> wrote:</div><div><div dir='ltr'><html><body>On Mon, Apr 3, 2017 at 11:38 AM, Simon Janeshvili <<a shape="rect" ymailto="mailto:sikking23@yahoo.com" href="mailto:sikking23@yahoo.com">sikking23@yahoo.com</a>> wrote:<div class="yqt6051751976" id="yqtfd77551"><br clear="none">> I am using Suricata 3.2.<br clear="none">><br clear="none">> the Lua script:<br clear="none">> <code><br clear="none">> function init (args)<br clear="none">><br clear="none">>     local needs = {}<br clear="none">><br clear="none">>     needs["packet"] = tostring(true)<br clear="none">><br clear="none">>     needs["payload"] = tostring(true)<br clear="none">><br clear="none">>     return needs<br clear="none">><br clear="none">> end<br clear="none">><br clear="none">><br clear="none">><br clear="none">> function match(args)<br clear="none">><br clear="none">>       print("********************************")<br clear="none">><br clear="none">>    return 1<br clear="none">><br clear="none">> end<br clear="none">><br clear="none">><br clear="none">><br clear="none">> return 0<br clear="none">> </code><br clear="none">><br clear="none">> very simple one, and this is happening in every pcap I'm using, I just count<br clear="none">> the number of lines and see there is a difference.<br clear="none">> By the way Suricata still telling at the end the right amount(as it says in<br clear="none">> wire-shark) but the number of lines are way off.</div><br clear="none"><br clear="none"><br clear="none">How do you start/run that Suricata test?<br clear="none">How do you do the test sequence ?<br clear="none">Can you share the pcap?<br clear="none"><br clear="none"><br clear="none">Thank you<br clear="none"><br clear="none">-- <br clear="none">Regards,<br clear="none">Peter Manev<div class="yqt6051751976" id="yqtfd40000"><br clear="none"></div></body></html></div></div></div></div></body></html>